The study guide identifies this exact output as an expectation session created by the FTP session helper :
“run helper-ftp” indicates the FTP helper is in use.
“FortiGate created an expectation session and opened the pinhole port for the expected return traffic”
It also explains why this exists:
“Another important function of the session helper is to temporarily create an expected session (or pinhole) for the data channel connection that comes from the server.”
“The session helper automatically creates the session and opens the door for the incoming connection.”
“These incoming TCP sessions use random TCP port numbers.”
That directly proves C is correct.
For A , the exhibit shows expire=23. The study guide explains the expire field as the length of time until the session expires if no matching traffic arrives, and the FortiOS guide states for expectation sessions:
“Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.”
So with expire=23, FortiGate will allow that expected traffic only for the remaining 23 seconds; after that, it times out and the traffic is denied. That makes A correct.
Why the other options are wrong:
B is not supported . The study guide describes expectation sessions as being created by the session helper from the control-session negotiation, not as independent objects unaffected by the master session.
D is wrong as stated. Even though the output contains policy_id=25, the study guide explicitly says the incoming expected connection is allowed by the expected session itself, “even when no firewall policy allows it.”
